Secret Court Ruling Put Tech Companies in Data Bind

Published: June 13, 2013

SAN FRANCISCO — In a secret court in Washington, Yahoo’s
top lawyers made their case. The government had sought help in spying on certain foreign users, without a warrant, and Yahoo had refused, saying the broad requests were unconstitutional.

The judges disagreed. That left Yahoo two choices: Hand over the data or break the law.

So Yahoo became part of the National Security Agency’s secret Internet surveillance program, Prism, according to leaked N.S.A. documents, as did seven other Internet companies.

Like almost all the actions of the secret court, which operates under the Foreign Intelligence Surveillance Act, the details of its disagreement with Yahoo were never made public beyond
a heavily redacted court order, one of the few public documents ever to emerge from the court. The name
of the company had not been revealed until now. Yahoo’s involvement was confirmed by two people with knowledge of the proceedings. Yahoo declined to comment.

But the decision has had lasting repercussions for the dozens of companies that store troves of their users’ personal information and receive these national security requests — it puts them on notice that they need not even try to test their
legality. And despite the murky details, the case offers a glimpse of the push and pull among tech companies and the intelligence and law enforcement agencies that try to tap into the reams of personal data stored
on their servers.

It also highlights a paradox of Silicon Valley: while tech companies eagerly vacuum up user data to track their users and sell ever more targeted ads, many also have a libertarian streak ingrained in their corporate cultures that resists sharing that
data with the government.

“Even though they have an awful reputation on consumer privacy issues, when it comes to government privacy, they generally tend to put their users first,” said Christopher Soghoian, a senior policy analyst studying technological surveillance
at the American Civil Liberties Union. “There’s this libertarian, pro-civil liberties vein that runs through the tech companies.”

Lawyers who handle national security requests for tech companies say they rarely fight in court, but frequently push back privately by negotiating with the government, even if they ultimately have to comply. In addition to Yahoo, which fought disclosures
under FISA, other companies, including Google, Twitter, smaller communications
providers and a group of librarians, have fought in court elements of National Security Letters, which the F.B.I. uses to secretly collect information about Americans. Last year, the government issued more than
1,850 FISA requests and 15,000 National Security Letters.

“The tech companies try to pick their battles,” said Stephen I. Vladeck, a law professor at American University who has challenged government counterterrorism surveillance. “Behind the scenes, different tech companies show different
degrees of cooperativeness or pugnaciousness.”

But Mr. Vladeck added that even if a company resisted, “that may not be enough, because any pushback is secret and at the end of the day, even the most well-intentioned companies are not going to be standing in the shoes of their customers.”

FISA requests can be as broad as seeking court approval to ask a company to turn over information about the online activities of people in a certain country. Between 2008 and 2012, only two of 8,591 applications were rejected,
according to data gathered by the Electronic Privacy Information Center, a nonprofit research center in Washington. Without obtaining court approval, intelligence agents can then add more specific requests —
like names of individuals and additional Internet services to track — every day for a year.

National Security Letters are limited to the name, address, length of service and toll billing records of a service’s subscribers.

Because national security requests ban recipients from even acknowledging their existence, it is difficult to know exactly how, and how often, the companies cooperate or resist. Small companies are more likely to take the government to court, lawyers
said, because they have fewer government relationships and customers, and fewer disincentives to rock the boat. One of the few known challenges to a National Security Letter, for instance, came from a small Internet
provider in New York, the Calyx Internet Access Corporation.

The Yahoo ruling, from 2008, shows the company argued that the order violated its users’ Fourth Amendment rights against unreasonable searches and seizures. The court called that worry “overblown.”

“Notwithstanding the parade of horribles trotted out by the petitioner, it has presented no evidence of any actual harm, any egregious risk of error, or any broad potential for abuse,” the court said, adding that the government’s
“efforts to protect national security should not be frustrated by the courts.”

One of the most notable challenges to a National Security Letter came from an unidentified electronic communications service provider in San Francisco. In 2011, the company was presented with a letter from the F.B.I., asking for account information of
a subscriber for an investigation into “international terrorism or clandestine intelligence activities.”

The company went to court. In March, a Federal District Court judge, Susan Illston, ruled the information request unconstitutional, along with the gag order. The case is under appeal, which is why the company cannot be named.

Google filed a challenge this year against 19 National Security Letters in the same federal court, and in May, Judge Illston ruled against the company. Google was not identified in the case, but its involvement was confirmed by a person briefed on the
case.

In 2011, Twitter successfully challenged a silence order on a request authorized by the Stored Communications Act.

Other companies are asking for permission to talk about national security requests. Google negotiated with Justice officials to publish the number of letters they received, and were allowed to say they each received between zero and 999 last year, as
did Microsoft. The companies, along with Facebook and Twitter, said Tuesday that the government should give them more freedom to disclose national security requests.

The companies comply with a vast majority of nonsecret requests, including subpoenas and search warrants, by providing at least some of the data.

For many of the requests to tech companies, the government relies on a 2008 amendment to FISA. Even though the FISA court requires so-called minimization procedures to limit incidental eavesdropping on people not in the original order, including Americans,
the scale of electronic communication is so vast that such information — say, on an e-mail string — is often picked up, lawyers say.

Last year, the FISA court said the minimization rules were unconstitutional, and on Wednesday, ruled that it had no objection to sharing that opinion publicly. It is now up to a federal court.

Nicole Perlroth and Somini Sengupta contributed reporting from San Francisco.

This article has been revised to reflect the following correction:

Correction: June 15, 2013

An article on Friday about technology companies’ discomfort with and challenges of government surveillance programs misstated the type of order to remain silent about an information request successfully challenged
by Twitter in 2011. It was an order authorized by the Stored Communications Act, not a National Security Letter.

A version of this article appeared in print on June 14, 2013, on page A1 of the New York edition with the headline: Secret Ruling Put Tech Firms In Data Bind.